Sysinternals api monitor9/1/2023 ![]() ![]() Please see the referenced Windows API pages for more information. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser, DuplicateTokenEx, and ImpersonateLoggedOnUser ). Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) DomainĪlso look for any process API calls for behavior that may be indicative of Process Injection.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |